To take advantage of Cortex XDR investigation and detection
capabilities while using Check Point firewalls, forward your firewall
logs to Cortex XDR.
logs and data requires a
Pro per TB license.
you use Check Point FW1/VPN1 firewalls, you can still take advantage
and detection capabilities by forwarding your Check Point firewall
Check Point firewall logs can be used as the sole data source, however,
you can also use Check Point firewall logs in conjunction with Palo
Alto Networks firewall logs and additional data sources.
can stitch data
from Check Point firewalls with other logs to make up network stories
searchable in the Query Builder and in XQL queries.
can also return
raw data from Check Point firewalls in XQL queries.
sessionid = 0
Port data is available only in the raw logs.
can both surface native Check Point firewall
alerts and raise its own alerts on network activity. Alerts are
alert, incident, and investigation views.
integrate your logs, you first need to set up an applet in a broker
VM within your network to act as a Syslog Collector. You then configure
your Check Point firewall policy to log all traffic and set up the
Log Exporter on your Check Point Log Server to forward logs to the
Syslog Collector in a CEF format.
As soon as
starts to receive logs,
the app can begin stitching network connection logs with other logs
to form network stories.
can also analyze your logs to raise Analytics
alerts and can apply IOC, BIOC, and Correlation Rule matching. You
can also use queries to search your network connection logs.
Ensure that your Check Point firewalls meet the
Check Point software version—R77.30, R80.10, R80.20, R80.30,
Increase log storage for Check Point firewall logs.
As an estimate for initial sizing, note that the average
Check Point log size is roughly 700 bytes. For proper sizing calculations,
test the log sizes and log rates produced by your Check Point firewalls.
For more information, see Manage Your Log Storage within Cortex XDR.
Configure the Check Point firewall to forward syslog
events in CEF format to the Syslog Collector.
Configure your firewall policy to log all traffic and set
up the Log Exporter to forward logs to the Syslog Collector. For
more information on setting up Log Exporter, see the Check Point